feat: expose SARIF results for further use

SARIF data are available under output `sarif`.

Co-authored-by: Kamil Dudka <[email protected]>

.github/workflows/differential-shellcheck.yml

@@ -36,7 +36,16 @@ jobs:
           sed -i "s/docker:\/\/ghcr\.io\/redhat-plumbers-in-action\/differential-shellcheck.*/Dockerfile/g" action.yml
 
       - name: Differential ShellCheck - test current changes
+        id: ShellCheck
         uses: ./
         with:
           shell-scripts: .github/.differential-shellcheck-scripts.txt
           token: ${{ secrets.GITHUB_TOKEN }}
+
+      - if: ${{ always() }}
+        name: Upload artifact with defects in SARIF format
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: Differential ShellCheck SARIF
+          path: ${{ steps.ShellCheck.outputs.sarif }}
+          retention-days: 7

README.md

@@ -80,10 +80,18 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Differential ShellCheck
+      - id: ShellCheck
+        name: Differential ShellCheck
         uses: redhat-plumbers-in-action/differential-shellcheck@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+
+      - if: ${{ always() }}
+        name: Upload artifact with ShellCheck defects in SARIF format
+        uses: actions/upload-artifact@v3
+        with:
+          name: Differential ShellCheck SARIF
+          path: ${{ steps.ShellCheck.outputs.sarif }}
 ```
 
 > **Warning**: _`fetch-depth: 0` is required in order to run `differential-shellcheck` successfully._
@@ -273,6 +281,35 @@ Token needs to have the following [characteristics](https://docs.github.com/en/r
 * Token with the `security_events: write` scope to use this endpoint for private repositories.
 * Token with the `public_repo` scope for **public repositories only**.
 
+If the `token` isn't passed, SARIF file can be uploaded manually using [sarif from outputs](#sarif) and [github/codeql-action/upload-sarif](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions) GitHub Action.
+
+## Outputs
+
+Differential ShellCheck exposes following [outputs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs).
+
+### sarif
+
+Relative path to SARIF file containing detected defects. Example of use:
+
+```yaml
+- id: ShellCheck
+  name: Differential ShellCheck
+  uses: redhat-plumbers-in-action/differential-shellcheck@v4
+
+- if: ${{ always() }}
+  name: Upload artifact with ShellCheck defects in SARIF format
+  uses: actions/upload-artifact@v3
+  with:
+    name: Differential ShellCheck SARIF
+    path: ${{ steps.ShellCheck.outputs.sarif }}
+
+- if: ${{ always() }}
+  name: Upload SARIF to GitHub using github/codeql-action/upload-sarif
+  uses: github/codeql-action/upload-sarif@v2
+  with:
+    sarif_file: ${{ steps.ShellCheck.outputs.sarif }}
+```
+
 ## Limitations
 
 * `differential-shellcheck` Action doesn't run correctly when overwriting commits using `--force` and when the triggering event is `push`.

action.yml

@@ -74,6 +74,10 @@ inputs:
     description: GitHub TOKEN used to upload SARIF data.
     required: false
 
+outputs:
+  sarif:
+    description: 'The SARIF file containing defects'
+
 runs:
   using: docker
   image: docker://ghcr.io/redhat-plumbers-in-action/differential-shellcheck:v3.3.1

docs/CHANGELOG.md

@@ -19,6 +19,7 @@
             fetch-depth: 0
 
         - uses: redhat-plumbers-in-action/differential-shellcheck@v4
+          id: ShellCheck
           with:
             token: ${{ secrets.GITHUB_TOKEN }}
   ```
@@ -27,6 +28,18 @@
 
 * Action now perform full scans on `push` event by default and on `manual` trigger when requested
 * Addition of new Summary page for full scans
+* SARIF file is now exposed under output `sarif` for further use.
+
+  ```yaml
+    - if: ${{ always() }}
+      name: Upload artifact with defects in SARIF format
+      uses: actions/upload-artifact@v3
+      with:
+        name: Differential ShellCheck SARIF
+        path: ${{ steps.ShellCheck.outputs.sarif }}
+        retention-days: 7
+  ```
+
 * Removal of unused output - `ENV.LIST_OF_SCRIPTS`
 * Increased code coverage
 * Some minor bugfixes, ShellCheck fixes, and CI updates

src/index.sh

@@ -93,26 +93,30 @@ echo
 evaluate_and_print_defects
 exit_status=$?
 
+# Upload all defects when Full scan was requested
+if [[ ${FULL_SCAN} -eq 0 ]]; then
+  cp ../full-shellcheck.err ../sarif-defects.log
+else
+  cp ../defects.log ../sarif-defects.log
+fi
+
+# GitHub requires an absolute path, so let's remove the './' prefix from it.
+# TODO: Don't hardcode ShellCheck version
+csgrep \
+  --strip-path-prefix './' \
+  --mode=sarif \
+  --set-scan-prop='tool:ShellCheck' \
+  --set-scan-prop='tool-version:0.8.0' \
+  --set-scan-prop='tool-url:https://www.shellcheck.net/wiki/' \
+  '../sarif-defects.log' >> output.sarif
+
+echo "sarif=output.sarif" >> "${GITHUB_OUTPUT}"
+
 # SARIF upload
 if [[ -n "${INPUT_TOKEN}" ]]; then
   echo
 
-  # Upload all defects when Full scan was requested
-  if [[ ${FULL_SCAN} -eq 0 ]]; then
-    cp ../full-shellcheck.err ../sarif-defects.log
-  else
-    cp ../defects.log ../sarif-defects.log
-  fi
-
-  # GitHub requires an absolute path, so let's remove the './' prefix from it.
-  # TODO: Don't hardcode ShellCheck version
-  csgrep \
-    --strip-path-prefix './' \
-    --mode=sarif \
-    --set-scan-prop='tool:ShellCheck' \
-    --set-scan-prop='tool-version:0.8.0' \
-    --set-scan-prop='tool-url:https://www.shellcheck.net/wiki/' \
-    '../sarif-defects.log' >> output.sarif && uploadSARIF
+  uploadSARIF
 fi
 
 summary >> "${GITHUB_STEP_SUMMARY}"